Learning Network Penetration Testing Or Ethical Hacking

Network Penetration Testing or Application Security Assessment – Where to start from?
May 26, 2013
CIOL India Magazine Quotes Torrid Networks on Indian Cyber Defense Infrastructure
June 2, 2013

It often appears difficult for new comers to follow the right steps to learn network penetration testing or ethical hacking also known as network security audit, network security testing etc. This blog entry though is not a comprehensive network penetration testing guide and only helpful in picking the right learning path. Often learners tend to deviate from the actual technology concepts and keep chasing different tools to achieve the same task. If the basic concepts are not clear, new comers will keep committing mistakes in the penetration testing assignments.

In below steps, we will try to share the approach which can help new comers in gaining better hang of network penetration testing. Most important part however is to focus on technology and concepts than tools.

Network Penetration Testing Learning Steps

1. Start with networking concepts. Read OSI layers, understand the functionality of each layer. Map OSI to TCP/IP for understanding the real networked world. Don’t just start with networking bible, one should simply understand the role of different layers, not theoretically but in practical scenario. One should be able to answer that router, firewall, switch, NIC works on which OSI layer. IP address calculations is also helpful.

2.  As a long term goal, is it always good to go through RFCs of mostly used protocols including IP, TCP, UDP, ICMP, etc. Protocols headers, role of different header components etc. should be helpful in recognizing the network traffic. No one would be able to recall all this, so not required to stress upon in case you couldn’t remember the headers.

3. Since the knowledge about the basic networking protocols is developed, it should be a good exercise to identify the protocols in practical scenario. Wireshark is a tool used in network penetration testing to analyze the network traffic. Install Wireshark and start converting the theoretical knowledge to practical by analyzing different packets flowing out of machine. Learn how to filter traffic using in built filters of Wireshark. Also, use some packet generator like Hping to generate some traffic and analyzing in the Wireshark. At this stage, IP spoofing can also be learned.

4. Network penetration testing is all about learning network attacks. Attacks should be started from the bottom-up in OSI layers. So a good pick should be ARP poisoning for which Ettercap is a good tool. Use Ettercap and also try to learn usage of various plugins in Ettercap. Keep watching Wireshark if you like to understand more

5. Before you start attacking any server or network device, it should be good idea to learn about different network services. How would you attack LDAP server if you are hearing LDAP for the very first time? At this stage, book on MCSE or RHCE can be picked up to learn basics about networking services on Windows and/or Linux servers. Since most of the tools required to conduct network penetration testing are based on Linux, it should be good idea to learn Linux. Which flavor? Ubuntu and Debian is better bet as a recommendation from our side, learners can however pick Fedora, CentOS, or other.

6. Once basic understanding of different server components or network services is developed, its time to configure those one-by-one in a test lab. VirtualBox can be used here to create a virtual lab. Learn more about VirtualBox and its features to make effective utilization. There are few vulnerable virtual machines available from internet like “Damn Vulnerable Linux” or Metasploitable but we recommend to try configuring at your own for a better understanding.

7. Once a vulnerable machine is running, start the network penetration testing by using a port scanner. NMAP is a de-facto tool for port scanning. But remember, NMAP is much more than a port scanner and learner needs to explore more of it in terms of learning NMAP scripts and other features. You should be knowing what you are doing, not simply copying and pasting NMAP commands from some tutorial.

8. Before you scan the vulnerable machine for vulnerabilities, it is required to learn about different vulnerabilities. One of the approach that we share in our long term training program is to run the scan and start learning the reported vulnerabilities one-by-one before running the second scan. Approach though is hit-and-trial and only works with a long term learning goal. However, learning ahead of running a scan will add more to it.

9. Now pick up some vulnerability scanning tool like Nessus. Learn how to use Nessus in different scenarios and run your first vulnerability scan. Once the scan completes, check the results. If you could not understand any result then start searching and reading about it. This phase is called as vulnerability assessment or vulnerability scanning.

10. Once vulnerabilities are highlighted by the tool, you need to perform a penetration testing which is actually to exploit the vulnerabilities and gain access to the machine. Metasploit is a nice tool to help in this stage. Learn Metasploit, meterpreter and if you like GUI, learn Armitage as well. Some vulnerabilities do not have ready exploits in metasploit and you might need to search them online. But a learner should clearly be able to identify which vulnerabilities are exploitable and which are not.

11. Kali previously known as BackTrack operating system includes most of the required tools for network penetration testing which should be explored to attack specific protocols or for reconnaissance which is not covered by the above mentioned tools. In this document, we haven’t covered reconnaissance also called as foot-printing since this tutorial is based on assumption of lab. based penetration testing. However, in the practical scenarios a lot of initial time is spent on reconnaissance.

11. The next step is to study different networking components including routers, switches, firewall, IPS, VPN, etc. and different network architectures. It is also recommended to learn what different network components are found in enterprise network so that good recommendations are offered to the customers on penetration testing findings. Check with your friends working as network administrator or system administrator to know more on how network is designed.

12. Once an expertise is developed on above and not many protocols, components, network services sound new to you anymore, advanced penetration testing procedures can be adopted. It is important to learn some programming language, we recommend ruby or python. Learn protocol/software fuzzing along with the art of exploit writing to get going.

Please note this document is not a full-fledged network penetration testing document or our standard methodology nor includes all the tools that we use as a penetration testing company. This is just to help learners follow a road-map and not to deviate towards network penetration testing tools.

Please take a minute to submit you feedback at info@torridnetworks.com to encourage us writing more for you.